risk

Review of ISO 14971 Deviation #4 specific to the requirement for benefit-risk analysis. This blog is the fourth in a seven-part series.

This blog is the fourth installment in our seven-part series, which reviews each of the content deviations between the three device directives for Europe and international risk management standard (ISO 14971:2007). The deviations were identified in the new European National version of the Standard released in 2012. There was no change to the content of Clauses 1 through 9 in ISO 14971, but then there were seven deviations from the directives identified by the European Commission.

Discretion as to Whether a Benefit-Risk Analysis Needs to Take Place

The fourth deviation is specific to the requirement for risk-benefit analysis. Clauses 6.5 and 7 of the 14971 Standard both imply that a risk/benefit analysis is only required if risks exceed a threshold of acceptability, and Annex D.6.1 indicates that “This International Standard does not require a benefit-risk analysis for every risk.” However, essential requirements 1 and 2 require that you perform a risk/benefit analysis for each risk and overall residual risk. Essential requirement 6a also requires a risk-benefit analysis as part of the conclusion in your Clinical Evaluation Report (http://bit.ly/ER6aMEDDEV).

Your company may have created a risk management procedure, which includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks that require a benefit-risk analysis, yellow cells that are ALARP, and green cells that are acceptable. Based upon the guidance provided in ISO 14971, your company probably identified that a benefit-risk analysis is only required for a risk that falls in the red zone of the matrix where the risk is “unacceptable.”

Unfortunately, this approach is not compliant with the European Directives, because the Directives require that a benefit-risk analysis be performed for each risk and all residual risks—not just the risks you identify as unacceptable. The fourth deviation between the ISO 14971 Standard and the Essential Requirements of the European Directives is relatively simple to address with a change to your risk management process. To comply with EN ISO 14971:2012, the “red zone” should not be labeled as a benefit-risk analysis, because even risks in the “green zone” require benefit-risk analysis.

Impact of this Deviation

In a previous blog about deviation #2, we determined that the implementation of risk controls must reduce all risks. In this blog, we established that after the implementation of risk controls, all residual risks must be subject to a benefit-risk analysis. Your company will need to eliminate the use of a risk evaluation matrix like the one shown above. Instead of relying on a risk management policy for evaluating the acceptability of risk, your company should be performing a benefit-risk analysis to determine the acceptability of risks.

The best way to integrate benefit-risk analysis for the evaluation of the acceptability of all risks is to integrate this with the clinical evaluation process. In addition to using clinical literature, clinical study data, and post-market surveillance as inputs for your clinical evaluation, your company should also be using residual risks as inputs to the evaluation. The clinical evaluation should be used to assess the significance of these residual risks, and verify that there are not any risks identified in the clinical evaluation that were not considered in the risk analysis.

In order to document that your company has performed a benefit-risk analysis for each residual risk, you will need to reference the risk management report in the clinical evaluation and vice-versa. Both documents will need to provide traceability to each risk identified in the risk analysis, and conclusions of risk acceptability will need to be based upon the conclusions of the clinical evaluation.

Once the product is launched, you will need to update the clinical evaluation with adverse events and other post-market surveillance information. As part of updating clinical evaluations, you will need to determine the acceptability of the risk when weighed against the clinical benefits. These conclusions will then need to be updated in the risk management report—including any new or revised risks.

If you are interested in ISO 14971 training, we were conducting a risk management training webinar on October 19, 2018.